I just signed up for an account, and noticed that upon registration, my password was emailed in plaintext to me.
That's definitely a major no-no on it's own. But since your system was able to plaintext sent it to me in the first place, I'm going to assume that they are also stored in plaintext... That's pretty bad security wise. Can someone look into this and comment?

From what I've read online, the phpBB 2 systems use an unsalted hash. And we don't force the login to https, nor do we by default link to https from the gentoo.org website. So I think that alone is insufficient to a claim at mitigation.

Well, it sure is not right to reuse a password. But still... what is wrong with the devs here? I thought Gentoo might rock my Desktop in a world which has become rather aware of security (post-Snowden era). But now I really question the security. If the Gentoo devs can't even manage to bring a bare minimum of security to their web services, how can they garantuee for anything in their Linux distribution?
This is bad. This is a no! Update to a later version of phpBB, switch the forum software or shut it down entirely.
Passwords should always be

transmitted via TLS

stored in a safe way (e.g. use bcrypt with 10+ iterations)

never ever in a million years be sent away from the server in any way

Sorry if this sounds harsh, but I am a developer who is very concerned about the security of sensitive data.
For further info, please visit OWASP and especially the ASVS project over there!

This topic has been open for over 2 years (!) and still no one did the least to improve the situation.

Sorry if this sounds harsh, but I am a developer who is very concerned about the security of sensitive data.
For further info, please visit OWASP and especially the ASVS project over there!

This topic has been open for over 2 years (!) and still no one did the least to improve the situation.

You're a developer? Patches welcome.

I mean, this person doesn't even need to be a developer. I spent 5 seconds on google to find that the mail template causing this issue is at `language/en/email/*.txt`. In any case, would you mind pointing to where the source for this modified forum is that you suggest random developers submit patches for to make your "put up or shut up" more reasonable?

Ant P. wrote:

Quote:

Update to a later version of phpBB, switch the forum software or shut it down entirely.

And how do you propose they migrate the ~8 million posts and long list of added functionality, given the above point?

Errrrr, your question presumes that doing anything at all requires fundamental changes and schema migration, instead of removal of the existing code which mails a user their plaintext password based on later versions of this version of phpBB, especially since you say that the forum software has already been heavily modified. I don't find this a ridiculous suggestion; even if they still use MD5 for password storage, they're no longer outright leaking the plaintext. Furthermore, phpBB v2 has received patches from its original authors which I don't doubt the devs here have made efforts to incorporate, but the fact that they are still sending passwords in mails suggests that this particular subject has not been given very much time or attention at all. Trying to sweep it back under the rug by suggesting it's too monumental a task isn't helpful.

Ant P. wrote:

maruru wrote:

But still... what is wrong with the devs here?

They're massively understaffed and keeping the lights on through charity of others.

That's a fine point, but suggesting that it is extremely abnormal/irresponsible for devs to ignore, or be unconcerned with, a security oversight like plaintext password leaking for at least two years does not mean that those posing questions about the devs are in any way unreasonable (or demonizing the staff/devaluing their charity/leaving the equivalent of a youtube comment in a flaming paper bag on their doorstep).

What if forum accounts are simply not considered very sensitive?
Everything of any importance (and quite some stuff of none) has been posted to be visible to the general public. You compare the account password to a "confidential" label on a briefcase. It might not stop determined offender, but it let's you know you are not supposed to look inside.
And this bad protection is still good enough to stop kids from pulling jokes on us.

I mean, this person doesn't even need to be a developer. I spent 5 seconds on google to find that the mail template causing this issue is at `language/en/email/*.txt`. In any case, would you mind pointing to where the source for this modified forum is that you suggest random developers submit patches for to make your "put up or shut up" more reasonable?

If you can find "the" file that needs changed in "5 seconds on google" (hint: either you did not, or you cited "it" incorrectly), it should take you at most another 5 seconds to find "it" under gentoo.org, happy Googling.

zamabe wrote:

Ant P. wrote:

Quote:

Update to a later version of phpBB, switch the forum software or shut it down entirely.

And how do you propose they migrate the ~8 million posts and long list of added functionality, given the above point?

Errrrr, your question presumes that doing anything at all requires fundamental changes and schema migration, instead of removal of the existing code which mails a user their plaintext password based on later versions of this version of phpBB, especially since you say that the forum software has already been heavily modified. I don't find this a ridiculous suggestion; even if they still use MD5 for password storage, they're no longer outright leaking the plaintext. Furthermore, phpBB v2 has received patches from its original authors which I don't doubt the devs here have made efforts to incorporate, but the fact that they are still sending passwords in mails suggests that this particular subject has not been given very much time or attention at all. Trying to sweep it back under the rug by suggesting it's too monumental a task isn't helpful.

Did you not read the posts you were replying to? Regardless, let us recap for your benefit: maruru suggested upgrading phpBB, Ant P. pointed out that it is not quite as simple as just running the basic update scripts, you then rail against Ant P.'s comments as though they were (1) directed at you, (2) focused on changing e-mail templates, and (3) somehow not entirely factual; none of which are the case. Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.

zamabe wrote:

Ant P. wrote:

maruru wrote:

But still... what is wrong with the devs here?

They're massively understaffed and keeping the lights on through charity of others.

That's a fine point, but suggesting that it is extremely abnormal/irresponsible for devs to ignore, or be unconcerned with, a security oversight like plaintext password leaking for at least two years does not mean that those posing questions about the devs are in any way unreasonable (or demonizing the staff/devaluing their charity/leaving the equivalent of a youtube comment in a flaming paper bag on their doorstep).

Two years? The forums first went online in April of 2002, the repository containing the sources for the version of phpBB in use on this site has been active since July of 2005, the last time the e-mail templates involved in sending passwords to users were modified at all (for character encoding changes) was in September of 2007. Your urgency and stridency run counter to a rather distinct lack of actual problems caused by those templates in the past 8, 10 or indeed 13 years.

Furthermore, to do the job correctly would require changing templates for all supported languages; we do not have translators for all of those languages (technically, we do not have translators as such for any of them). While automated translations might be an option, if such translations were to be inaccurate it would require a suitably bilingual (at least) individual to effectively file and/or handle the resulting bug report, if it ever actually came.

Going to skip over replying point-by-point because now that the "Site Admin" is advocating doing nothing for bogus reasons, this is flat out depressing.

A few things:
Yes, I didn't respond to the comment made and never agreed with the one I supposedly defended, I responded to the direction it leads down.
Good use of sarcasm, I'll try to match.

Onward! Did you miss counting lessons? I'll help you out. If you started the forum at version 2 in 2002, there are the years 2002 to 2015. If you count them one by one, you find there are 13 years this forum has been operational. Is that at least 2 years? (psst, I'll help you cheat: yes) Has this problem existed the entire time? (psst, this whole test is going to be answer A) Is it actually relatively simple to fix? (Remember, all A)

To continue the theme of strong conclusions; Ignoring this thread/bug for at least two years, claiming this isn't a problem, and seriously saying that removing the line which contains the "here is your plaintext password" variable can't reasonably be done without i18n team's worth of submissions is to say that the gentoo project is a ludacris bureaucracy. It makes more sense that the guy with the Site Admin badge can't actually do anything to fix this, and even if they could they don't want to because pointing out that it's been there for a long time as if that's a bad thing is rude.

Hopefully conspiracy-challenge is a good one-up to sarcasm in your post which concludes that "we've always done it this way." Let's see how it plays out.

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."

Last edited by zamabe on Sun Oct 04, 2015 6:01 am; edited 1 time in total

If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.

You remind me about the guy who keeps his collection of old news papers in 5 character combination safe inside a locked room inside a fortress with a 24/7 armed guard. If the forum's security is breached an attacker can impersonate you to the forum and that is it. No one really wants your collection of old news papers or your forum account. Bending over backwards to protect data that isn't that sensitive to begin with just doesn't make sense._________________First things first, but not necessarily in that order.

If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.

Code:

sed '/^.*{PASSWORD}.*$/d'

Yeah, it's that simple. It's a single line with the big, unique token "{PASSWORD}". Does it make sense to you why I'm incredulous about any possible validity to this still being a thing?

desultory wrote:

Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.

zamabe wrote:

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."

Going to skip over replying point-by-point because now that the "Site Admin" is advocating doing nothing for bogus reasons, this is flat out depressing.

A few things:
Yes, I didn't respond to the comment made and never agreed with the one I supposedly defended, I responded to the direction it leads down.
Good use of sarcasm, I'll try to match.

Onward! Did you miss counting lessons? I'll help you out. If you started the forum at version 2 in 2002, there are the years 2002 to 2015. If you count them one by one, you find there are 13 years this forum has been operational. Is that at least 2 years? (psst, I'll help you cheat: yes) Has this problem existed the entire time? (psst, this whole test is going to be answer A) Is it actually relatively simple to fix? (Remember, all A)

To continue the theme of strong conclusions; Ignoring this thread/bug for at least two years, claiming this isn't a problem, and seriously saying that removing the line which contains the "here is your plaintext password" variable can't reasonably be done without i18n team's worth of submissions is to say that the gentoo project is a ludacris bureaucracy. It makes more sense that the guy with the Site Admin badge can't actually do anything to fix this, and even if they could they don't want to because pointing out that it's been there for a long time as if that's a bad thing is rude.

Not having the resources at hand to fix something correctly is not the same as needing those resources to instate an unverified "fix" just to silence a squeaky wheel.

Not having gathered such resources might imply certain things about the priority of instating a fix for the problem in question, and in this case it does.

zamabe wrote:

Hopefully conspiracy-challenge is a good one-up to sarcasm in your post which concludes that "we've always done it this way." Let's see how it plays out.

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."

Your Google Skillz™ have failed you, though a bit of basic reasoning could easily lead you to a correct answer from what you have found.

zamabe wrote:

The Doctor wrote:

If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.

Code:

sed '/^.*{PASSWORD}.*$/d'

Yeah, it's that simple. It's a single line with the big, unique token "{PASSWORD}". Does it make sense to you why I'm incredulous about any possible validity to this still being a thing?

That is not necessarily true, you might actually be worth replying to if you can figure out why.

zamabe wrote:

desultory wrote:

Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.

zamabe wrote:

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."

You are the one who claimed to have such impressive Google Skillz™, so asking you to employ them could only be useless if either (1) Google had not indexed the relevant information (it has), or (2) your Google Skillz™ are not all they were claimed to be (that is entirely up to you). As for "patches welcome", that is only worthless if (1) you are unable to generate such patches; or (2) you are simply not worth working with, regardless of the technical merits of any patches you would generate; both of those are entirely under your control.

Some tips for you:

If you want to retain any credibility as a developer; avoid claiming that you have a certain set of skills, then balking at their slightest exercise.

If you want to retain credibility as a functional adult; when you are told that you are acting boorishly, the correct response is to consider that possibility and act accordingly to correct that behavior, not to take it as a sign that if you were only to apply yourself a bit more diligently you could be a proper jackass.

If you want appear overly self important and willfully ignorant, continue quoting yourself in successive posts.

Glad, at least, to see this thread exists and isn't closed. But that's all.

My 32 character password, relayed back via email is a definite fail.

Password reset give me a nice 29 character password okay...

Trying to reset my password to use full character set (including high ascii) and limiting the new password to 32 characters; failed.... can't have password longer than 32 characters, it was exactly 32 characters.

Tried using a lesser character set, but still 32 characters and it was okay.

https only protects so much as well.

I understand that this isn't Gentoo the distro itself, but it is the "official" Gentoo forum (isn't it?) after all, surely this deserves far greater attention and priority, especially since it might be a person's first direct experience with the Gentoo community -- not a good start, first impressions can be very damaging.

So, for a user to have some kind of security they need to create an account and then change their password immediately; until then, there is an email showing the original password in some email archive (wanted or not and warranted or not).

Secure mechanisms for password handling need to be improved all over the Internet, here is a perfect example of one that is more serious than it might otherwise seem. Even if the password wasn't sent in clear text to the new registrant, there are other factors that should be put in play to secure user logins; passwords should be allowed to be any length and use any type of ASCII character, even if a reasonable minimum length is specified.

So, for a user to have some kind of security they need to create an account and then change their password immediately; until then, there is an email showing the original password in some email archive (wanted or not and warranted or not).

No the only security is that this password is use only for the forum and you didn't use it for anything else.
Even a 4000 chars password is useless if by breaking in the forum base, anyone can catch your bank account password as well.

The forum password doesn't need to be strong, its task is to block anyone to use your forum account to post as you, not to protect your bank.

Having your browser remember the password is a different kind of fail.

depends. Bear in mind, that not everything needs such full protection, as it is only a support forum in the first place.

i boot from an unsecure bios chip / hardware platform, from an unencrypted / unhashed boot partition. which loads an initramfs whihc opens a lvm container which contains a luks partition with root.

Attack vectors are: unseucre hardware platform. no one knows what hte hardware really does (short summary)
Network => not sure if there are any loopholes / backdoors in my network stack
remote log in should be disabled but you never know what the webbrowser has holes / when you visit a bad website

I am upgrading my hardware and I will implement / secure backup and hash of boot this time. As long as we do not know what's in the hardware itself, and as the ASUS bios is just encrypted / you never know what's really in that.

I would say that my box is safe from the average windows 10 guy but not from someone with as much knowledge as myself.

Do you always lock your screen when you leave your computer for a coffee?

Endless topic, but thanks for your hint. Thats why i have choosen some random password and reset it when the browser forgets it.

Endless topic, but thanks for your hint. Thats why i have choosen some random password and reset it when the browser forgets it.

That's a pretty good answer all up, thank you. And yes, typically I DO lock my screen usually, but I'm not perfect.

Totally agree with you on all those possible attack vectors.

I do have to admit that I use s browser add-on to interface with KeePass... that is my weakest point, but I only do that on one desktop that is /almost/ locked away. The laptop that travels doesn't have that add-on.